<p>Hi All,<br> <br>I am facing an issue with the ikev2 stack. <br>Please refer to the ipsec.conf file below:</p>
<p>Here we have 2 connections SA1 and SA2 which are basically 2 IpSec SAs using same Tunnel (IKE SA).<br>Problem is that when i change the configuration of connection SA1 and fire "ipsec update" then both SA1 and SA2 configuration are deleted and thereafter if i try to bring up the SA2, i see an error saying " no config named 'SA2'"</p>
<div>I am performing following steps:<br>1. bring up SA1 "ipsec up SA1"<br>2. bring up SA2 "ipsec up SA2"<br>3. close SA1 <br>4. close SA2<br>5. Update the configuration of only SA1 (changed leftprotoport and rightprotoport to 49154). <br>
6. now i fired "ipsec update" command. <br>7. now try to bring up connection SA2. "ipsec up SA2"<br>8. In logs attached observe that an error is displayed saying: "charon: 09[CFG] no config named 'SA2'". Please observe that even though i have NOT updated SA2, connection in steps above. It seems that SA2 configuration has got deleted in step 6 above and hence it displays the error.</div>
<div> </div>
<div>Can you please confirm if the behavior is correct and if am doing any mistake in my configuration<br> <br>ipsec.conf<br>_____________________</div>
<p>config setup<br> cachecrls=no<br> charonstart=yes<br> plutostart=no<br> strictcrlpolicy=no<br> uniqueids=no<br> <br>ca section1<br> cacert=/tmp/RootCert070f33_7349bbdb.pem<br> auto=add<br> <br>conn SA1<br> ikelifetime=24h<br>
keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br> esp=aes128-sha1-modp1024,3des-sha1-modp1024!<br>
authby=rsasig<br> left=20.20.20.20<br> leftsubnet=<a href="http://10.10.10.10/32">10.10.10.10/32</a><br> right=20.20.20.21<br> rightsubnet=<a href="http://10.10.10.12/32">10.10.10.12/32</a><br> leftprotoport=udp/49156<br>
rightprotoport=udp/49156<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add<br> <br>conn SA2<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br>
dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br> esp=aes128-sha1-modp1024,3des-sha1-modp1024!<br> authby=rsasig<br> left=20.20.20.20<br> leftsubnet=<a href="http://10.10.10.10/32">10.10.10.10/32</a><br>
right=20.20.20.21<br> rightsubnet=<a href="http://10.10.10.12/32">10.10.10.12/32</a><br> leftprotoport=udp/65535<br> rightprotoport=udp/65535<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add<br> <br>Thanks and Regards<br>
Sajal</p>